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Abstract: Non-repudiation protocols have an important role in many areas where secured 
transactions with proofs of participation are necessary. Formal methods are clever and 
without error, therefore using them for verifying such protocols is crucial. In this purpose, 
we show how to partially represent non-repudiation as a combination of authentications on 
the Fair Zhou-Gollmann protocol. After discussing its limits, we define a new method based 
on the handling of the knowledge of protocol participants. This method is very general and is 
of natural use, as it consists in adding simple annotations, like for authentication problems. 
The method is very easy to implement in tools able to handle participants knowledge. We 
have implemented it in the AVISPA Tool and analyzed the optimistic Cederquist-Corin- 
Dashti protocol, discovering two unknown attacks. This extension of the AVISPA Tool for 
handling non- repudiation opens a highway to the specification of many other properties, 
without any more change in the tool itself. 

Key-words: cryptographic protocols, non-repudiation, fairness, authentication, automatic 
analysis, AVISPA Tool 
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Methodes automatiques 
pour l'analyse de protocoles de non repudiation 
en presence d'un intrus actif 

Resume : Les protocoles de non repudiation ont un role important dans de nombreux 
domaines, oil des transactions securisees avec preuves de participation sont necessaires. 
Les methodes formelles sont astucieuses et sans erreur, il est done crucial de les utiliscr 
pour verifier de tels protocoles. Dans ce but, nous montrons sur le protocole Fair Zhou- 
Gollmann comment representer partiellement la non repudiation comme la combinaison 
d'authentifications. Apres discussion des limites d'une telle approchc, nous definissons une 
nouvelle methode basee sur la gestion des connaissances des participants du protocole. Cette 
methode est tres generale et d'usage naturel, car elle consiste a ajouter de simples anno- 
tations, comme pour les problemes d'authentification. La methode est tres facile a im- 
planter dans des outils capables de gerer les connaissances des participants. Nous l'avons 
implantee dans l'outil AVISPA et avons analyse le protocole optimistc Ccderquist-Corin- 
Dashti, decouvrant deux attaques inconnues jusqu'alors. Cette extension de l'outil AVISPA 
pour traiter la non repudiation ouvrc un boulevard pour specifier de nombreuses autres 
proprietes, sans changement supplementaire dans l'outil. 

Mots-cles : protocoles cryptographiqucs, non repudiation, cquite, authentification, ana- 
lyse automatique, outil AVISPA 



Analyzing Non- Repudiation Protocols 



3 



1 Introduction 

Considering security protocols, the study of properties such as authentication and secrecy 
has been intensive for years [Hj , but the interest of other properties such as non-repudiation 
and fairness has been raised only in the 1990s with the explosion of Internet services and 
electronic transactions^ 

Non-repudiation protocols are designed for verifying that, when two parties exchange 
information over a network, neither one nor the other can deny having participated to this 
communication. Such a protocol must therefore generate evidences of participation to be 
used in case of a dispute. The basic tools for non-repudiation services have been digital 
signatures and public key cryptography. Indeed, when one receives a signed message, he has 
an evidence of the participation and the identity of his party [5] . 

The majority of the non-repudiation property analysis efforts in the literature are manually 
driven though. One of the first efforts to apply formal methods to the verification of non- 
repudiation protocols have been presented by Zhou et al. in [24], where they used SVO logic. 
In [18] Schneider used process algebra CSP to prove the correctness of a non-repudiation 
protocol, the well-known Fair Zhou-Gollmann protocol. With the same goal, Bella et al. 
have used the theorem prover Isabelle [3]. Schneider used a rank function for encoding 
that in an execution trace, an event happens before another event. The verification is done 
by analyzing traces in the stable failures models of CSP. Among the automatic analysis 
attempts, we can cite Shmatikov and Mitchell [19] who have used Mmip, a finite state 
mo del- checker, to analyze a fair exchange and two contract signing protocols, Kremer and 
Raskin [5] who have used a game based model, Armando et al. [2] who used LTL for encoding 
resilient channels in particular, the very nice work of Gurgens and Rudolph [5] who have 
used the asynchronous product automata (APA) and the simple homomorphism verification 
tool (SHVT) [13], raising flaws in three variants of the Fair Zhou-Gollmann protocol and 
in two fair non-repudiation protocols [7] [35] . Wei and Heather J2U] have used FDR, with 
an approach similar to Schneider, for a variant of the Fair Zhou-Gollmann protocol with 
timestamps. 

The common point between all those works is that they use rich logics, with a classical 
bad consequence for model checkers, the difficulty to consider large protocols. For avoid- 
ing this problem, Wei and Heather [21] used PVS [15], but some of the proof are still manual. 

Fairness is more difficult to achieve: no party should be able to reach a point where he 
has the evidence or the message he requires without the other party also having his required 
evidence. Fairness is not always required for non-repudiation protocols, but it is usually 
desirable. 

A variety of protocols has been proposed in the literature to solve the problem of fair mes- 
sage exchange with non-repudiation. The first solutions were based on a gradual exchange of 
the expected information [S] . However this simultaneous secret exchange is troublesome for 

1 See http://www.lsv.ens-cachan.fr/~kremer/FXbib/references.php for a detailed list of publications 
related to the analysis of non-repudiation protocols. 
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actual implementations because fairness is based on the assumption of equal computational 
power on both parties, which is very unlikely in a real world scenario. A possible solution 
to this problem is the use of a trusted third party (TTP), and in fact it has been shown 
that it is impossible to achieve fair exchange without a TTP P31 [H] . The TTP can be used 
as a delivery agent to provide simultaneous share of evidences. The Fair Zhou-Gollmann 
protocol |23j is a well known example using a TTP as a delivery agent; a significant amount 
of work has been done over this protocol and its derivations [3JE1IIB, 24J . However, instead 
of passing the complete message through the TTP and thus creating a possible bottleneck, 
recent evolution of protocols resulted in efficient, optimistic versions, in which the TTP is 
only involved in case anything goes wrong. Resolve and abort sub-protocols must guarantee 
that every party can complete the protocol in a fair manner and without waiting for actions 
of the other party. 

One of these recent protocols is the optimistic Cederquist-Corin-Dashti (CCD) non-repudia- 
tion protocol [4]. The CCD protocol has the advantage of not using session labels, contrari- 
wise to many others in the literature [5J [TTJ [SSJ HE] • A session label typically consists of a 
hash of all message components. Giirgens et al. [5] have shown a number of vulnerabilities 
associated to the use of session labels and, to our knowledge, the CCD protocol is the only 
optimistic non-repudiation protocol that avoids altogether the use of session labels. 

This paper presents a method for automatically verifying non-repudiation protocols in 
presence of an active intruder. Our method has been implemented in the AVISPA Tool [Tpl 
and we illustrate it with examples. This tool, intensively used for defining Internet security 
protocols and automatically analyzing their authentication and secrecy properties, did not 
provide any help for considering non-repudiation properties. 

We first consider non-repudiation analysis as a combination of authentication problems, 
applied to the Fair Zhou-Gollmann protocol. We show the limits of this representation and 
the difficulties for proving non-repudiation properties using only authentications. Then, 
we define method based on the analysis of agents knowledge, permitting to handle non- 
repudiation and fairness properties in a same framework. Our approach is very natural 
for the user and writing the logical properties is still simple: they correspond to state 
invariants that are convincing properties for the user. This method is easy to integrate 
in lazy verification systems, such as the AVISPA Tool, and can also be integrated in any 
system able to handle agents (or intruder) knowledge. This should permit, contrarily to 
more complex logics like LTL, to set up abstractions more easily for considering unbounded 
cases. This should also permit to get a more efficient verification for bounded cases. We 
illustrate this with the optimistic Cederquist-Corin-Dashti protocol. 

2 Non-Repudiation Properties 

Non-repudiation (NR) is a general property that may not be clearly defined. It is usually 
described as a set of required services, depending on the protocol and the required level of 

2 http: //www. avispa- project . org 
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security. In particular, non-repudiation properties may be different whether a trusted third 
party (TTP) is used or not in the protocol. 

Considering a message sent by an originator agent to a recipient agent (possibly via a 
delivery agent, a TTP), we define below some of the most important non-repudiation services 
required by most of the existing security applications (for e-commerce for example). 

Definition 1 The service of non-repudiation of origin, denoted A^KOb(A), provides 
the recipient B with a set of evidences which ensures that the originator A has sent the 
message. The evidence of origin is generated by the originator and held by the recipient. 
This property protects the recipient against a dishonest originator. 

Definition 2 The service of non-repudiation of receipt, denoted NH1Za{B), provides 
the originator A a set of evidences which ensures that the recipient B has received the 
message. The evidence of receipt is generated by the recipient and held by the originator. 
This property protects the originator against a dishonest recipient. 

Definition 3 The service of non-repudiation of submission, denoted AflZS a{B) , pro- 
vides the originator A a set of evidences which ensures that he has submitted the message 
for delivery to B. This service only applies when the protocol uses a TTP. Evidence of sub- 
mission is generated by the delivery agent, and will be held by the originator. This property 
protects the originator against a dishonest recipient. 

Definition 4 The service of non-repudiation of delivery, denoted N1ZV a{B) , provides 
the originator A a set of evidences which ensures that the recipient B has received the 
message. This service only applies when the protocol uses a TTP. Evidence of delivery is 
generated by the delivery agent, and will be held by the originator. This property protects 
the originator against a dishonest recipient. 

Definition 5 A service of fairness (also called strong fairness) for a non-repudiation pro- 
tocol provides evidences that if, at the end of the protocol execution, either the originator 
has the evidence of receipt of the message and the recipient has the evidence of origin of 
the corresponding message, or none of them has any valuable information. This property 
protects the originator and the recipient. 

Definition 6 A service of timeliness for a non-repudiation protocol guarantees that, what- 
ever happens during the protocol run, all participants can reach a state that preserves fair- 
ness, in a finite time. 

Note that in general sets of evidences such as AflZO, AflZIZ, AfTZS and AflZV are composed 
with messages signed by an agent. 

For the sequel of this paper, we will consider the following definition of an evidence. 

Definition 7 An evidence for an agent A for a non-repudiation property P is a message, a 
part of a message, or a combination of both, received by A that is necessary for guaranteeing 
property P. 
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Note that in this paper, we consider the evidences given by the protocol designer as 
valid: without intervention of an intruder, those evidences are sufficient to guarantee the 
non-repudiation service; and in case of a dispute, a judge analyzing them will always be able 
to protect honest agents. 

3 Non-Repudiation as Authentication 

It is well known that non-repudiation is a form of authentication [16 . In this section we 
demonstrate that properties like AfTZO, AflZlZ,. . .can be at least partially represented by 
authentication properties. We illustrate this idea with the Fair Zhou-Gollmann protocol. 
At the end of this section we show strong limitations of this approach in order to motivate 
the introduction of a new approach in the next section. 

3.1 Running Example: the FairZG Protocol 

In this section we describe the Fair Zhou-Gollmann protocol (FairZG) [23], a fair non- 
repudiation protocol that uses a TTP. We have chosen this protocol as a case study to 
demonstrate our analysis approach because of the existence of significant related work El 
ITS] . The protocol is presented below in Alice&Bob notation, where fNRO, fNRR, fSUB and 
fCON are labels used to identify the purpose of messages. 

1. A -> B: fNRO.B.L.C.NRO 

2. B -> A: fNRR.A.L.NRR 

3. A -> TTP: fSUB.B.L.K.SubK 

4. B <-> TTP: fCON.A.B.L.K.ConK 

5. A <-> TTP: fCON.A.B.L.K.ConK 

and AfKO B (A) = {NRO, ConK} 
Afnn A {B) = {NRR, ConK} 

where A (for Alice) is the originator of the message M , B (for Bob) is the recipient of the 
message M, TTP is the trusted third party, M is the message to be sent from Alice to Bob, 
C is a commitment (the message M encrypted by a key K), L is a unique session identifier 
(also called label), K is a symmetric key defined by Alice, NRO is a message used for non- 
repudiation of origin (the message fNRO.B.L.C signed by Alice), NRR is a message used 
for non-repudiation of receipt (the message fNRR.A.L.C signed by Bob), SubK is a proof of 
submission of K (the message fSUB.B.L.K signed by A), ConK is a confirmation of K (the 
message fCON.A.B.L.K signed by the TTP). 

The main idea of the FairZG protocol is to split the delivery of a message into two 
parts. First a commitment C, containing the message M encrypted by a key K, is exchanged 
between Alice and Bob (message fNRO). Once Alice has an evidence of commitment from 
Bob (message fNRR), the key K is sent to a trusted third party (message fSUB). Once the 
TTP has received the key, both Alice and Bob can retrieve the evidence ConK and the key 
K from the TTP (messages fCON). This last step is represented by a double direction arrow 
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in the Alice&Bob notation because it is implementation specific and may be composed by 
several message exchanges between the agents and the TTP. In this scenario we assume 
the network will not be down forever and both Alice and Bob have access to the TTP's 
shared repository where it stores the evidences and the key. This means that the agents will 
eventually be able to retrieve the key and evidences from the TTP even in case of network 
failures. 

3.2 Non-Repudiation of Origin as Authentication 

In our example, the FairZG protocol, non-repudiation of origin should provide the guarantee 
that if Bob owns NlZO then Alice has sent M to Bob. Proposition [1] shows how this can be 
partially done with a set of authentications. 

Definition 8 auth(X,Y,D) is the non-injective authentication, and means X authenticates 
Y on data D. 

The semantics of such a predicate is standard and can be found in 10J . 
Proposition 1 Given the FairZG protocol, let B be a honest agent. 

If auth(B,A,NRO), auth(B,TTP,ConK) and auth(TTP,A,SubK) are satisfied then the non- 
repudiation service of origin NlZO b (A) is satisfied. 

Proof: For the two evidences of AfTZOs ( A) = {NRO, ConK}, we have: 

• NRO = Sig A (fNRO.B.L.{M} K ): since auth(B,A,NRO) is satisfied, there is an agreement 
on SigA(fNRO.B.L.C) between B and A. From the signature properties this means also 
an agreement on {M}k, thus A has sent {M}k. 

• ConK = SigTTp(fCOIM.A.B.L.K): as above auth(B, TTP, ConK) implies an agreement on 
K between B and TTP. Furthermore SubK = Sig A (fSUB, B, L, K) thus auth(TTP,A,SubK) 

implies an agreement on K between TTP and A. By transitivity we have an agreement 
on K between B and A which means that A has sent K. 

As A has sent {M}k and K, he has sent M. The non-injective authentication is only required 
for auth(B,TTP,ConK) because B can ask many times ConK. However since all authentica- 
tions imply an agreement on the unique session identifier L, this excludes an authentication 
across different sessions. □ 

3.3 Non-Repudiation of Receipt as Authentication 

In our example, the FairZG protocol, non-repudiation of receipt should provide the guarantee 
that if Alice owns NlZlZ then Bob has receipt M from Alice. Proposition shows how this 
can be done partially with a set of authentications. 

Proposition 2 Given the FairZG protocol, let B be a honest agent. 

If auth(A,B,NRR), auth(A,TTP,ConK) and auth(B,TTP,ConK) are satisfied then the non- 
repudiation service of receipt J\[1Z1Za{B) is satisfied. 
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Proof: For the two evidences of N1Z1Za{B) — {NRR, ConK}, we have: 

• NRR = SigB(fNRR.A.L.{M}K): a reasoning as for NRO in Proposition [T] ensures that B 
has received {M}k- 

• ConK = SigTTp(fCON.A.B.L.K): auth(A,TTP,ConK) implies an agreement on K be- 
tween A and TTP. Furthermore auth(B,TTP,ConK) implies an agreement on K between 
B and TTP. This means that there is an agreement on K between A and B, thus when 
A holds ConK, B has received or will be able to receive K. 

The proof end is similar to the one of Proposition [TJ □ 
3.4 Limitations and Difficulties 

At this point there are some problems that motivate the introduction of a new approach 
presented in the next section. 

1. If, contrarily to the previous Propositions hypothesis, the evidences owner is dishonest, 
he can possibly forge a fake evidences set. For example for Bob and AflZIZ we need to 
prove that Bob could only own AflZIZ if Alice has actually sent the correct protocol 
messages. This may be done as for example in [IB], [10] or [3] but this is not trivial. 

2. Handling non- repudiation as authentications seems very hard or may not be possible in 
general. In particular this task seems difficult for optimistic non-repudiation protocols 
that include sub-protocols like abort and resolve as presented in the next section. 

3. In general verifying Fairness is a delicate stage and the above remarks make this more 
difficult. 

In conclusion, proving non-repudiation with the help of authentications seems for us not 
to be the right way; this is why in the next section we propose a very easy approach for 
handling non-repudiation. 

4 Non-Repudiation based on Agent Knowledge 

In this section, we present a new method for considering non-repudiation services and fairness 
in a same framework: we introduce a logic permitting to describe states invariants. This 
logic is a very classical one, except that we define two new predicates, deduce and aknows 
that permit to consider agents knowledge in the description of goals. The aknows predicate 
is also used as protocol annotation, with the semantics agent X knows (or can deduce) term 
t. 
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4.1 Description of Non- Repudiation Properties 

The main role of a non-repudiation protocol is to give evidences of non-repudiation to the 
parties involved in the protocol. To analyze this kind of protocol, one must verify which 
participants have their non-repudiation evidences at the end of the protocol execution. For 
example, if the originator has all its evidences for non-repudiation of receipt, then the service 
of non-repudiation of receipt is guaranteed. If the recipient has all its evidences for non- 
repudiation of origin, then the service of non-repudiation of origin is guaranteed. If both 
parties (or none of them) have their evidences, fairness is guaranteed. In other words, to 
analyze non-repudiation, we need to verify if a set of terms is known by an agent at the end 
of the protocol execution. 

And for considering a large class of non-repudiation protocols, we shall not restrict 
evidences to a set of terms, but we have to consider them as a combination of terms using 
standard logical connectors (conjunction, disjunction, negation). 

For considering non-repudiation and fairness properties involving honest and dishonest 
agents, we have defined a new predicate that permits to access the knowledge of protocol par- 
ticipants. This predicate, named aknows, is used in the specification of protocol transitions 
and of properties. 

Definition 9 (Af1Z-x{Y)) Let A be a set of agents playing a finite number of sessions S of 
a protocol, T a set of terms sent in the messages of this protocol and £ the subset of terms 
in T that are part of the evidences of non-repudiation in the protocol. For an agent X G A, 
NlZ-x (Y) is a logical combination of terms t G £ that constitute the evidence for a service 
of non-repudiation Af1Z- for agent X wrt. agent Y. 

Definition 10 (aknows) Let A be a set of agents playing a finite number of sessions S of 
a protocol, T a the set of terms. The annotation aknows(X, s, t) is a predicate with X G A, 
s G S and t G T , expressing that agent X, playing in session s of the protocol, knows (or 
can deduce) the term t. 

The semantics of predicate aknows(X, s, t) is that the term t can be composed by agent X, 
according to its current knowledge in the session s of the protocol, whether this agent is 
honest or not. This composability test can be easily done by any tool that is able to manage 
agents knowledge or intruder knowledge. 

By abuse of notation, we may write aknows(X, s, L), for a logical formula L combining 
evidences (Nll-x{Y) for example), considering that the predicate aknows is an homomor- 
phism: 



Definition 11 (deduce) Let A be a set of agents playing a finite number of sessions of a 
protocol and T a set of terms. We define deduce(X, t), with X G A and t G T , as the 
predicate which means that X can deduce t from its knowledge. 



aknows(X, s, L\ A L 2 ) 
aknows(X, s, L\ V L 2 ) 
aknows(X, s, ->L) 



aknows(X, s, L\) A aknows(X, s, L 2 ) 
aknows(X, s, L\) V aknows(X, s, L 2 ) 
-iaknows(X, s, L) 
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We will use the same abuse of notation for deduce as for aknows. 

In the following, we assume that each aknows annotation corresponds to a valid deduce 
predicate on the same information, in order to avoid bad annotations. 

Definition 12 The evidence AflZ-x(Y) is well-formed if it contains information that 
uniquely identifies the session, and if it contains an injective function of the message M 
for which AfTZ- acts as a protection agains a dishonnest agent. 

We now give the results obtained by this representation. 

Proposition 3 Given a non-repudiation service of B against A about a message M with 
the well-formed evidence AfTZ-B {A) in session s of a protocol. If the following formulae are 
true at the session end then the non repudiation service is valid. 

akD.ows(B,s,MTZ. B (A)) aknows(A, s, M) 

dedace(B,J\fn. B (A)) => aknows (B, s,AfU. B { A)) 

Proof: A sketch of proof is as follows: by the second implication if B is able to deduce 
ATIZ-b(A) then aknows(B, s, NIZ-b(A)) is included in its knowledge. Furthermore since 
ATIZ-b(A) is well-formed, MTZ-b(A) and aknows(£>, s, MH-b{A)) are related to the same 
session. 

Now since MTZ-b(A) is well- formed it includes all the information in M, thus the first 
implication implies an agreement on M between B and A. Finally as aknows(A, s, M) is an 
annotation, this means that A has followed the protocol, thus he has done what he must do 
with M. □ 
Remark: verifying formulas given in the above Proposition is not a problem, because a 
priori any theorem prover can compute whatever can be deduced by an agent at a given 
step of the protocol, especially concerning the deduce predicate. 

Corollary 1 Given a non-repudiation service of origin for B against A about message M , 
in session s of a protocol. If JVIZOb(A)) is well-formed and the following formulae are true 
at the session end then the service is valid. 

akn.ovB(B,s,AfnO B (A)) => aknows(A, s, M) 
deduce(B,J\fnO B (A)) aknows(B, s, AfTZO B (A)) 

Corollary 2 Given a non-repudiation service of receipt for A against B about message M , 
in session s of a protocol. If ATIZIZa(B)) is well-formed and the following formulae are true 
at the session end then the service is valid. 

aknows(A,s,J\f1ZTZ A {B)) aknows(_B, s, M) 

deduce{ A, NKKa(B)) aknows(A, s,AfHH A (B)) 
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4.2 Description of Fairness 

In the literature, authors often give different definitions ol lairness for non-repudiation pro- 
tocols. In some definitions none of the parties should have more evidences than the others 
at any given point in time. Others have a more flexible definition in which none of them 
should have more evidences than the others in the end of the protocol run. In many works 
it is also not very clear if only successful protocol runs are taken into account, or partial 
protocol runs are valid as well. 

In this paper the later definition of fairness will be used and we take into account complete 
protocol runs. By complete protocol runs we mean a run where, even though the protocol 
could not have reached it's last transition for all agents, there is no executable transition left, 
i.e. all possible protocol steps have been executed, but this does not mean that all agents 
are in a final state. 

We define this standard fairness as a function of non-repudiation of origin and of non- 
repudiation of receipt. If both properties, AflZO and AflZTZ, are ensured or both are not 
satisfied for a given message M, then we have fairness. 

Proposition 4 Given a protocol whose purpose is to send a message from Alice to Bob, 
we have the following equivalence concerning the standard definition of fairness for a given 
session s. If the non-repudiation is valid for the AflZO and ATlZIZ services then: 

Fairness = aknows(_Bofe, s, AfTZO ^ ^( Alice)) iff akn.ows( Alice, s, AfTZTZ^ ce (Bob)) 

This result can be generalized to fairness wrt. a set of non-repudiation services as follows. 

Theorem 4.1 Given a protocol involving a finite number of agents, given a finite set of 
valid non-repudiation services AT1Z, the protocol is fair wrt. AfTZ iff 

^U-RS 1Xl {Y 1 ),KTns 2X2 {Y 2 ) e Afn, 

aknowspd, s,N1IS 1Xi (Yi)) iff aknows(X 2 , s,AfnS 2X2 (Y 2 )) 

4.3 Running Example: CCD 

For illustrating the analysis method described later on, we will use a recent protocol, the 
optimistic Cederquist-Corin-Dashti (CCD) non- repudiation protocol The CCD protocol 
has been created for permitting an agent A to send a message M to an agent B in a fair 
manner. This means that agent A should get an evidence of receipt of M by B (EOR) 
if and only if B has really received M and the evidence of origin from A (EOO). EOR 
permits A to prove that B has received M, while EOO permits B to prove that M has been 
sent by A. The protocol is divided into three sub-protocols: the main protocol, an abort 
sub-protocol and a resolve sub-protocol. 
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The Main Protocol. It describes the sending of M by A to B and the exchange of 
evidences in the case where both agents can complete the entire protocol. If a problem 
happens to one of the agents, in order to finish properly the protocol, the agents execute 
the abort or the resolve sub-protocol with a trusted third party (TTP) . 

The main protocol is therefore composed of the following messages exchanges, described 
in the Alice&Bob notation: 

1. A - B : {M} K .EOO M where EOO M = {B.TTP.H({M} K ).{K.A} Kttp } mv{Ka) 

2. B —> A: EOR M where EOR M = {EOO M ) inv{Kb) 

3. A -> B : K 

4. B - A : EORk where £Oi? K - {Aif ({M}^).if 

where if is a symmetric key freshly generated by A, H is a one-way hash function, if g is the 
public key of agent g and inv(Kg) is the private key of agent g (used for signing messages). 
Note that we assure that all public keys are known by all agents (including dishonest agents). 

In the first message, A sends the message M encrypted by K and the evidence of origin 
for B (message signed by A, so decryptable by B). In this evidence, B can check his identity, 
learns the name of the TTP, can check that the hash code is the result of hashing the first 
part of the message, but cannot decrypt the last part of the evidence; this last part may be 
useful if any of the other sub-protocols is used. 

B answers by sending the evidence of receipt for A, A checking that EORm is EOOm signed 
hyB. 

In the third message, A sends the key K, permitting B to discover the message M. 
Finally, B sends to A another evidence of receipt, permitting A to check that the symmetric 
key has been received by B. 

The Abort Sub-Protocol. The abort sub-protocol is executed by agent A in case he 
does not receive the message EORm at step 2 of the main protocol. The purpose of this 
sub-protocol is to cancel the messages exchange. 

1. A — > TTP : {a.boTt.H({M} K ).B.{K.A} Kttp }. nv{Ka) 

E TTP where E TTP = {A.B.K.H{{M} K )} inv(Kttp) 

if resolved(A.B.K.H({M} K )) 
AB TTP where AB TTP = {A.B.H{{M} K ).{K.A} Kttp \ mv(Kup) 

otherwise 



2. TTP -> A 



In this sub-protocol, A sends to the TTP an abort request, containing the abort label and 
some information about the protocol session to be aborted. 

According to what happened before, the TTP has two possible answers: if this is the first 
problem received by the TTP for this protocol session, the TTP sends a confirmation of 
abortion, and stores in its database that this protocol session has been aborted; but if the 
TTP has already received a request for resolving this protocol session, he sends to A the 
information for completing his evidence of receipt by B. 
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The Resolve Sub-Protocol. The role of this second sub-protocol is to permit agents A 
and B to finish the protocol in a fair manner, if the main protocol cannot be run until its 
end by some of the parties. For example, if B does not get K or \i A does not get EORk, 
they can invoke the resolve sub-protocol. 

1. G — > TTP : EOR M 

2 TTP — » G ■ { ABttp if ^°^&{A.B.K.H{{M} K )) 
1 Ettp otherwise 

where G stands for A or B. 

A resolve request is done by sending EORm to the TTP. If the protocol session has 
already been aborted, the TTP answers by the abortion confirmation. If this is not the 
case, the TTP sends Ettp so that the user could complete its evidence of receipt (if G is 
A) or of origin (if G is B). Then the TTP stores in its database that this protocol session 
has been resolved. 



Agents' Evidences. For this protocol, according to [4], the logical formulas of evidences 
are: 

N'TZOb(A) = {M}k A EOO m A K 

Mnn A {B) = \m}k a eor m a (eor k v e TT p) 

Note that there are two possibilities of evidences for non-repudiation of receipt, according 
to the way the protocol is run. 

According to our method, we simply have to annotate protocol steps with aknows pred- 
icates, and then write the logical formula to verify. The following table shows where those 
annotations take place in the three CCD sub-protocols, for considering non-repudiation of 
origin and of receipt. 



Mno B {A) 


Protocol - step 


aknows(_B, s, {M}k ) 


Main - 1. 


aknows(_B, s, EOOm) 


Main - 1. 


aknows(B, s, K) 


Main - 3. 


aknows(B, s, K) 


Resolve - 2. 



MTZTZa(B) 


Protocol - step 


aknows(A, s, {M }k) 


Main - 1. 


aknows(A, s, EORm) 


Main - 2. 


aknows(v4, s, EORk) 


Main - 4. 


aknows(j4, s, Ettp) 


Abort - 2. 


aknows(A, s, Ettp) 


Resolve - 2. 



According to Corollary [TJ non-repudiation of origin for the CCD protocol is repre- 
sented by the following invariant formulas: 



aknows(B, s, {M} K A EOO M A K 
deduce^, {M} K A EOO M A K) — 



> aknows (A, s, M) 
aknows(B, s, {M} K A EOO M A K) 
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According to Corollary non-repudiation of receipt for the CCD protocol is repre- 
sented by the following invariant formulas: 

aknows(A, s, {M} K A EOR M A (EOR K V E TT p)) aknows( J B, s, M) 
deduce(A, s, {M} K A EOR M A (EOR K V E TT p)) 

=> aknows(A, s, {M} K A EOR M A (EOR K V E TTP )) 

For analyzing fairness, this protocol requires timeliness, that is each participant should 
reach a final state before testing fairness. Fairness for the CCD protocol is described by the 
following logical formulas, a very simple application of Theorem 14. II 

aknows(^,s,A/'^A( J B)) & aknows(5, s, AfKO B (A)) 

Basically the property states that if A knows the EOR evidence ({M } K , EORm, and EORk 
or Ettp), then B must know the EOO evidence. And symmetrically for B, if B knows the 
EOO evidence ({M} K , EOOm, and K or Ettp), then A must know the EOR evidence. 

The CCD protocol has been specified in the AVISPA Tool, with the description of the 
fairness property given above. The detailed formulas used in the AVISPA Tool, with an 
LTL syntax, are: 

// aknows(yl, s, {M} K ) A \ / aknows(B, s, {M} K ) A 

□ ( j aknows(y4, s,EOR M ) A => I air.ows(B, s, EOOm) A 
\\ (aknows(y4, s, EORk ) V aknows(A, s, Ettp)) J \ aknows(B, s, K) 

// aknows(_B, s, {M} K ) A \ / aknows(yl, s, {M} K ) A 

□ (( aknows(B, s, EOO m) A l^l aknows(yl, s, EORm) A 
\ \ aknows(_B, s, K) J \ (aknows(yl, s, EORk ) V aknows( J 4, s, Ettp)) 

Several scenarios have been run, and two of them have raised an attack, showing that 
the CCD protocol does not provide the fairness property for which it has been designed. 

The first attack has been found for a scenario where only one session of the protocol 
is run, between honest agents. The problem is raised when some messages of the main 
protocol are delayed, either by a slow network traffic or by the action of an intruder. The 
consequence of this delay is that A will invoke the abort sub-protocol and B will invoke the 
resolve sub-protocol. And if the resolve request reaches the TTP before the abort request, B 
will get all his necessary evidences from the TTP, while A is not able to get all his evidences 
even with the help of the TTP. 
The originality of this attack is that, at the end: 

• A will guess (according to the answer received to his abort request) that the protocol 
has been resolved by B, so he will assume that B knows M and can build the proof 
that A has sent it; but A cannot prove this; 

• B has resolved the protocol and has received from the TTP the information for getting 
M and building the proof that A has sent M; but he does not know that A does not 
have his proof; 
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• the TTP will think that B has asked for the protocol to be resolved, followed by A; 
so for him, both A and B can build their evidences. 

So, this trace shows that the CCD protocol is not fair, even if both agents A and B are 
honest. The attack is due to a malicious intruder or a network problem, and the TTP is of 
no help for detecting the problem. 

The second attack is a variant: it happens when agent A plays the protocol with a 
dishonest agent B (named i, for intruder). As soon as i has received the first message from 
A, he builds EORm and sends it to the TTP as resolve request. When A decides to abort 
the protocol, this is too late: the protocol has already been resolved, the intruder can get 
M and build the proof that A has sent M, and A cannot build the evidence of receipt. We 
have corrected the protocol and the numerous scenarios that have been tried on the new 
version have not raised any attack. This experiment on the CCD protocol is detailed in |17j . 

5 Conclusion 

Non-repudiation protocols have an important role in many areas where secured transactions 
with proofs of participation are necessary. The evidences of origin and receipt of a message 
are two examples of elements that the parties should have at the end of the communication. 
We have given two very different examples of such protocols. The FairZG protocol is an 
intensively studied protocol in which the role of the trusted third party is essential. The 
CCD protocol is a more recent non-repudiation protocol that avoids the use of session labels 
and distinguishes itself by the use of an optimistic approach, the trusted third party being 
used only in case of a problem in the execution of the main protocol. 

The fairness of a non-repudiation protocol is a property difficult to analyze and there are 
very few tools that can handle the automatic analysis of this property. The contribution of 
this work is twofold. First, we have illustrated with the FairZG protocol how difficult it is 
to consider full non-repudiation properties using only a combination of authentications. 

Second, we have defined a new method that permits to handle in a very easy way non- 
repudiation properties and fairness in a same framework. This method is based on the 
handling of agents knowledge and can be used to automatically analyze non-repudiation 
protocols as well as contract signing protocols [19] . We have implemented it in the AV1SPA 
Tool and have successfully applied it to the CCD protocol, proving that it is not fair. 
We have also tested other specifications of the CCD protocol, for example with secure 
communication channels between agents and the TTP, and for the original definition for the 
abort sub-protocol: no attack has been found; but using such channels is not considered as 
acceptable, because it requires too much work for the TTP. 

Our method, based on the writing of simple state invariants, is of easy use, and can be 
implemented in any tool handling agents (or intruder) knowledge. It should be very helpful 
for setting abstractions for handling unbounded scenarios, and it should very efficient for 
bounded verifications, as it has been the case in our implementation. We hope that this 
work will open a highway to the specification of many other properties, without any more 
change in the specification languages and the analysis engines. 
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